Log file Viewer

[19:26:43] <tos9> pip complaining about installing packages from places that it in fact is not even installing them from is a known issue right

[19:26:55] <tos9> I've definitely seen this the last time I searched for it, but not finding it right now

[19:27:56] <tos9> (saying "http://someindex.com/somepackage uses an insecure transport scheme (http). Consider using https if someindex.com has it available", when in fact that's a complete lie and pip is not installing somepackage from someindex

[19:28:59] <dstufft> is it a configured index

[19:29:00] <tomprince> tos9: But is it consulting that page as part of deciding which version of a package to install?

[19:29:23] <tos9> dstufft: no, I'm not passing --extra-index-url or --index-url

[19:29:40] <dstufft> are you passing --process-dependency-links

[19:29:56] <dstufft> or --find-links

[19:29:58] <tos9> Probably the SSCCE just involves pointing pip at a requirements file with 2 requirements, one with a regular PyPI requirement and another a straight tarball retrieved over HTTP

[19:30:10] <tos9> dstufft: nope, nothing.

[19:30:47] <tos9> tomprince: (it shouldn't be)

[19:30:56] <tos9> So I hope it isn't.

[19:31:05] <dstufft> it's just randomly adding it?

[19:31:59] <tos9> dstufft: Sorry what are the its in that sentence? I have a tarball requirement, which is installed from a URL, but then I have some regular requirements, and pip is claiming that it's looking at myurl/twisted, when that's clearly false

[19:32:12] <tos9> (that URL does not return Twisted, and Twisted is being retrieved from regular ol' PyPI)

[19:32:23] <tos9> Let me try my idea for a SSCCE.

[19:39:17] <tos9> Sigh. sorry, I'm a liar.

[19:39:59] <tos9> Apparently I was su'ed to a user that had --extra-index-url in a pip.conf

[19:40:49] <tos9> dstufft: So presumably that's intended behavior I guess? If pip is hitting an index server over HTTP, even if it returns a 404, it's going to warn that it spoke HTTP?

[19:41:00] <dstufft> yes

[19:41:05] <tos9> K, makes sense.

[19:41:20] <dstufft> a MITM could intercept the 404 and return whatever they wanted

[19:41:24] <tos9> Yeah.

[19:42:37] <tos9> Is there still a plan for verifying package signatures too? Or has that either happened already or been dropped?

[19:44:21] <dstufft> it has not happened

[19:44:31] <dstufft> there is a desire to do it, and a PEP that outlines an idea

[19:44:36] <dstufft> but there have been higher priority things

[19:44:59] <dstufft> TLS gets us most of the benefit of package signing sans the "what if the index gets compromised"

[19:45:08] <dstufft> so it hasn't been super high priority

[21:52:40] <tchaypo> Does "edit package information" include "upload a new release"?

[22:50:34] <buck1> is it possible that pip install hg+ssh://@mybranch is broken?

[22:50:39] <buck1> seems to be installing default branch

[22:51:00] <buck1> also: how would i stop it in the middle to check

[22:51:12] <buck1> pip install -e #egg= does the right thing

[22:55:34] <buck1> oh i think my tree of requirements needs coverage twice

[22:55:39] <buck1> and the first is winning?

[23:04:31] <buck1> dstufft: bug or notabug?

[23:27:36] <AuroraBorealis> I have q question on how pip selects the version to install, there is a package, when i tell pip to install it, it selects a version that is not the latest, and i'm not understanding why: http://paste.pound-python.org/show/Uwnfqxgqje6Ol3qoVtQJ/

[23:27:44] <AuroraBorealis> is it because the 'latest version' has an 'a' in it for alpha?

[23:34:55] <tos9> AuroraBorealis: Yes.

[23:35:17] <tos9> AuroraBorealis: http://pip.readthedocs.org/en/latest/reference/pip_install.html#pre-release-versions

[23:37:17] <AuroraBorealis> i'm confused, how does it 'know' its a prerelease version? that says if it can't parse the version string then its a prerelease version but it appears right according to the PEP it linked

[23:38:11] <AuroraBorealis> or is it just figuring out its prerelease by the pep426 parsing

[23:39:44] <tos9> yes, that pep defines which suffixes mean things

[23:40:14] <tos9> or I guess it looks like an associated pep does

[23:40:14] <tos9> http://legacy.python.org/dev/peps/pep-0440/

[23:40:16] <AuroraBorealis> ok, documentation was just worded weird